Analysis
-
max time kernel
160s -
max time network
197s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2022 22:15
Static task
static1
Behavioral task
behavioral1
Sample
c3bc13cab300f6f1f5f4e66abdf6fa1a04bf97310d5f98fa060fdf5c8e5b76d4.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
c3bc13cab300f6f1f5f4e66abdf6fa1a04bf97310d5f98fa060fdf5c8e5b76d4.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
c3bc13cab300f6f1f5f4e66abdf6fa1a04bf97310d5f98fa060fdf5c8e5b76d4.exe
-
Size
176KB
-
MD5
76daf69d6b2a19c9565d52a326e9a730
-
SHA1
7a8e75437957abccb4977578eb61aa056b9715fb
-
SHA256
c3bc13cab300f6f1f5f4e66abdf6fa1a04bf97310d5f98fa060fdf5c8e5b76d4
-
SHA512
d931c1fd2cad53245a70884d10c4fcb83ac1293e921350bb91def0227f8ed8f217b27c8dffaed0c58ef51706242326a204d05bc77112dab0e9fbe7f682de09c0
-
SSDEEP
1536:bs+KLBCVi9NMIYuQASmS0mJJFL/XlvpjJaHxlmJUl60ReWWKI0pj8YQa2odbdt/2:IBqASmSjXy20pjz24TU
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rehex.exe -
Executes dropped EXE 1 IoCs
pid Process 1468 rehex.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation c3bc13cab300f6f1f5f4e66abdf6fa1a04bf97310d5f98fa060fdf5c8e5b76d4.exe -
Adds Run key to start application 2 TTPs 50 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /m" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /v" rehex.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /e" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /D" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /h" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /k" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /i" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /L" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /F" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /Z" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /x" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /C" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /z" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /o" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /c" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /I" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /b" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /l" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /K" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /N" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /P" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /w" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /H" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /p" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /G" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /Q" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /E" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /g" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /j" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /T" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /r" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /y" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /S" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /Y" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /A" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /q" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /J" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /f" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /U" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /t" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /u" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /M" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /O" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /X" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /a" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /s" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /V" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /d" rehex.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rehex = "C:\\Users\\Admin\\rehex.exe /B" rehex.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe 1468 rehex.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4972 c3bc13cab300f6f1f5f4e66abdf6fa1a04bf97310d5f98fa060fdf5c8e5b76d4.exe 1468 rehex.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4972 wrote to memory of 1468 4972 c3bc13cab300f6f1f5f4e66abdf6fa1a04bf97310d5f98fa060fdf5c8e5b76d4.exe 82 PID 4972 wrote to memory of 1468 4972 c3bc13cab300f6f1f5f4e66abdf6fa1a04bf97310d5f98fa060fdf5c8e5b76d4.exe 82 PID 4972 wrote to memory of 1468 4972 c3bc13cab300f6f1f5f4e66abdf6fa1a04bf97310d5f98fa060fdf5c8e5b76d4.exe 82 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30 PID 1468 wrote to memory of 4972 1468 rehex.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3bc13cab300f6f1f5f4e66abdf6fa1a04bf97310d5f98fa060fdf5c8e5b76d4.exe"C:\Users\Admin\AppData\Local\Temp\c3bc13cab300f6f1f5f4e66abdf6fa1a04bf97310d5f98fa060fdf5c8e5b76d4.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Users\Admin\rehex.exe"C:\Users\Admin\rehex.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1468
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD541537c04fd6f7ba20f79ea56d42e5601
SHA1f5285030c49249f733750b1f02ec1615d9ca5444
SHA25689d45c69c0debac9cc1fcd1e3010bd54b4db73c69705649c466791e4f43023e9
SHA5126c91dc29747d898b3c26124a2933b0f628e4f24809db577fb460c8d7a19d548f9812327b57650ffdaef39db1a48a86bc402e8574fa102c37b34c714ef6c64e9e
-
Filesize
176KB
MD541537c04fd6f7ba20f79ea56d42e5601
SHA1f5285030c49249f733750b1f02ec1615d9ca5444
SHA25689d45c69c0debac9cc1fcd1e3010bd54b4db73c69705649c466791e4f43023e9
SHA5126c91dc29747d898b3c26124a2933b0f628e4f24809db577fb460c8d7a19d548f9812327b57650ffdaef39db1a48a86bc402e8574fa102c37b34c714ef6c64e9e